Announcement

**Gregery D Engle** · 24 Jul 2000, 07:10 PM

What I have done in the past is:

Username: Greg Engle
Company Name: 2dudes.com
Unlock Code: 6785-A345

the unlock code is in the format XXXX-XXXX and the first set of
XXXX is a CRC16 on the username and the second set of XXXX is
a CRC of the company name. Now this is far from full proof and
hackers have made serial number generators for one of my
applications. I think a better way of doing this would be:

Username: Greg Engle
Company Name: 2dudes.com
Generate Serial Number: 213981237918237
Unlock Code: 6785-A345

you see now that I randomly generated a serial number that is
needed when I register the application. The serial number is
internal to the program and the user can't modify it (well
it will slow a hacker down atleast)

All these functions can be done with PowerBasic very easily and
the CRC32 source code is available in the SOURCECODE forum.

Hope that helps

------------------
-Greg

**Scott Wolfington** · 24 Jul 2000, 07:35 PM

Hi Gregery,

Thanks so much for your fast response. The CRC is interesting.
Can you explain in a little more detail about what you're doing
with the serial number? Does the serial number get generated
when the user installs the software and thus it would be
different everytime they install? Or, if they had to re-install
their operating system, and re-install your software, will they
get a new serial number? If so, then I'd like to stay away from
the serial number idea because I've been down that route before.
It can become a licensing nightmare once you have a lot of
customers. It's amazing how often people re-install their
OS's and software packages (when that happens they end up calling
for a new unlock code).

Thank again!

Scott

**Semen Matusovski** · 25 Jul 2000, 03:49 AM

Scott --
Long serial no. is enough uncomfortable for customers and enough dangerous (on next day you can see this ser. no on hackers' sites).
I think, that it's better to use license files, which depends of customer's name and PC
(BIOS' date, serial no. of HDD, CPU and so on).
I prefer hardware electronic keys, but sometimes I use license file like alternative.
In this case I do following ...
I place all files in Internet and update releases enough often.
If simply to download, a program doesn't work, because it needs a license file (or electronic key).
Meanwhile I upload into Internet a special program.
If customer prefers a license file, he should start this program on PC, where my program should stay.
Utility collects information about PC and prepares "secret" file.
Customer sends me money & "secret" file.
On my PC I convert this secret file to the license file and send it back by E-Mail.
Of course, sometimes users change PCes and need a new license file.
Because I can't test, I "trust" customers.
1) most of people are honest.
2) in my case customers should pay every year.
My experience shows that during an year I need to change 25% of license files maximum.
Of course, if customer will require to change license file two times per day, I willn't beleive, but I didn't meet such things.

------------------

**Patrice Terrier** · 25 Jul 2000, 04:16 AM

I have the same kind of problem to produce a large set of CD-ROM
that need to be duplicated by the way of master duplication.
There is a label on the CD-ROM box with the serial number key,
(like Microsoft products).
Then the user will have to enter his name and company name and the
key number printed on the CD-ROM box.

If you have a better idea I shall be glad to hear about it.
But it must be usable with CD-ROM master duplication.

------------------
Patrice Terrier
mailto

[email protected][email protected]</A>

**Scott Turchin** · 25 Jul 2000, 06:42 AM

It's not that all of these suggestions aren't good, because they are VERY good...

But when someone hits it at a register level and inserts a JMP over your function call, it just became licensed and registered...

I found out the hard way, a crack was released for Winlog For Windows 98 long time ago...

I'm liking the concept of crippleware more and more, because you can't crack what just isn't there..

However, I have a nice little function that will check the day of install and compare it to how many days you allow the appliation to run..

Email me if interested.

Scott

------------------
Scott
mailto:[email protected][email protected]</A>

**Scott Wolfington** · 25 Jul 2000, 06:47 AM

Hi Scott!

Yeah, I understand where you are coming from. That's why
I said in my first post that I just want to keep honest
people honest. I'd love to check out the function you have.
I'll email you now. Thanks again!

Scott

**Gregery D Engle** · 25 Jul 2000, 06:57 AM

Originally posted by Scott Wolfington:
Does the serial number get generated
when the user installs the software and thus it would be
different everytime they install?

Well what I have done in the past to generate a serial number is
open a file and randomly create 1024 bytes, a simple chr(rnd(...))
should work fine, and then take a CRC32 of that file. Now I
just put that file in the windows\system directory and if
someone uninstalls my program and then reinstalls the serial
number will stay the same. Unless of course they delete the
file but if you set the same of the file back (in sourcecode forum)
it will make it harder.

------------------
-Greg

**Steve Hutchesson** · 26 Jul 2000, 12:57 AM

Scott,

If I understand what you are after, the simplest and tidiest approach is
to probably make a key file for each registered customer that has their
name in it so it displays in the About box as a product registered to
either them or their company.

Any reasonable cracker can produce a key-generator that will do the job
of breaking your protection but it will deter many from giving out the
keyfile because it has their name in it.

There are many elaborate techniques for protecting EXE files and some
work better than others but at the crunch, they all can be broken by a
person who properly understands the workings of binary files. Trying
to bury junk in the registry is a flop, it is easy for a cracker to
track it during installation, serial number schemes are simple practice
for the kids in Softice so a more personal approach is probably better
for what you had in mind.

Regards & good luck.

[email protected]

------------------

**John Kovacich** · 30 Jul 2000, 08:39 AM

I consider three states for my programs:
1. No registration exists, Demo.
2. Incorrect registration exists, Crack.
3. Correct registration exists, Normal.

Demo mode runs with some limited functionality, but crack mode
appears normal, but gives randomly incorrect results (bugs).

It is far harder to accurately identify bugs than a message which
identifies the code as unregistered. I know of cases (another
company) where users called tech support for help with bugs,
(alerting the company of pirated software).

------------------

**Ketil Krumm** · 30 Jul 2000, 04:22 PM

Scott (and everybody else),

I guess the lengths you'd go to to try and avoid illegitimate copies depends on the price of the software and the number of potential buyers.

I do like key files myself, as they're easily distributed (small, very suitable for emailing). I include at the very least a name and authorization code, and then check in my code that these two match. Of course, some apps will let you display the piracy, as the registered name could be a fixed part of reports etc.

As for "hitting it at the registerlevel", that would take some doing. I sometimes use Shrinker from Blink, Inc ( http://www.blinkinc.com ) to compress my exe whether that's needed or not, as it also renders the exe very difficult (probably not impossible) to disassemble. Also, if it's a small app, you could embed the key as a resource in the exe, and then run Shrinker on it. I admit to not being very knowledgable on the ins and outs of hacking techniques, but I imagine the hacker must be very determined to bother with a setup like that.

Works for me, anyway, but then I haven't written any really large audience apps. Most of what I do is very specialized, and of no general interest.

Just thought the Shrinker approach might be useful for some.

Ketil

------------------

**Ketil Krumm** · 30 Jul 2000, 04:24 PM

[Deleted - double post...]

[This message has been edited by Ketil Krumm (edited August 02, 2000).]

**Gregery D Engle** · 30 Jul 2000, 06:14 PM

Ketil,

The downfall on EXE compressors is that when it loads in memory it
extracts the whole thing in memory so any hacker can just read
the contents of memory to get the info. Much debate on the
EXE compressors to begin with, personally I dislike them because
of the lack of performace.

------------------
-Greg

**Patrice Terrier** · 30 Jul 2000, 11:55 PM

Well i think the best way to protect valuable softwares is to use a dungle key.

------------------
Patrice Terrier
mailto

[email protected][email protected]</A>

**Ketil Krumm** · 2 Aug 2000, 01:26 PM

Gregery,

I basically agree with you, but they do have their uses. I purchased Shrinker after having written an applet to search for Norwegian postal codes. It had to be completely free text search, and I wanted it as a single file (i.e. no separate data file etc.).

I embedded the data as an RCDATA resource in the EXE, which was then 3 MB+. After running Shrinker on it it was 300 KB+, and loaded a lot faster due to the reduction in disk file size (not to mention the improved performance when loading it over a LAN!). It provided just what I needed in this case, and the memory overhead for Shrinker is just 40 KB (or so they claim, I never tested it).

As for just dumping the memory content after decompression, I probably stand corrected. As I said, the ins and outs of hacking techniques never were my domain...

Ketil

------------------

[This message has been edited by Ketil Krumm (edited August 02, 2000).]

Announcement

Licensing Scheme

Licensing Scheme

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment